Re: [DNSOP] DNS privacy and AS 112: the case of home.arpa
Mark Andrews <marka@isc.org> Mon, 11 December 2017 22:41 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 969351289B5 for <dnsop@ietfa.amsl.com>; Mon, 11 Dec 2017 14:41:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_w71XBHwIMg for <dnsop@ietfa.amsl.com>; Mon, 11 Dec 2017 14:41:05 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BFB81272E1 for <dnsop@ietf.org>; Mon, 11 Dec 2017 14:41:05 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 51CF53AC36C; Mon, 11 Dec 2017 22:41:02 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id E831B16007A; Mon, 11 Dec 2017 22:41:01 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id BE504160079; Mon, 11 Dec 2017 22:41:01 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 47SQj4C5LKO0; Mon, 11 Dec 2017 22:41:01 +0000 (UTC)
Received: from [172.30.42.89] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id C0AE4160042; Mon, 11 Dec 2017 22:41:00 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <118C37A8-0DEF-460B-8A79-AAE470D3CED8@hopcount.ca>
Date: Tue, 12 Dec 2017 09:40:58 +1100
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, dnsop@ietf.org, Paul Vixie <paul@redbarn.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <73B3C074-6B88-4BCC-8F0C-26D09066CD0A@isc.org>
References: <20171211090051.qjoruin7nkdjsnvd@nic.fr> <5A2E4B7C.50509@redbarn.org> <20171211091800.wonjnvhl3xrx6r4s@nic.fr> <118C37A8-0DEF-460B-8A79-AAE470D3CED8@hopcount.ca>
To: Joe Abley <jabley@hopcount.ca>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VRN9u9K8_ykVXPqM_7_qzzPd_7Q>
Subject: Re: [DNSOP] DNS privacy and AS 112: the case of home.arpa
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2017 22:41:07 -0000
You don’t add the DNAME to the ARPA domain because it does not add the insecure delegation that is REQUIRED. You add the DNAME to the HOME.ARPA domain if you really want to redirect the traffic. For some reason IANA wants to make this more complicated than it needs to be. You don’t need to contact the AS112 server operators (a impossible task). You just contact the existing ARPA server operators to install HOME.ARPA on those servers. Add each NS as the operator say that their servers are reconfigured to support HOME.ARPA. This is what I would end up with. HOME.ARPA. SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2017121101 1800 900 604800 86400 HOME.ARPA. NS A.ROOT-SERVERS.NET. HOME.ARPA. NS B.ROOT-SERVERS.NET. HOME.ARPA. NS C.ROOT-SERVERS.NET. HOME.ARPA. NS D.ROOT-SERVERS.NET. HOME.ARPA. NS E.ROOT-SERVERS.NET. HOME.ARPA. NS F.ROOT-SERVERS.NET. HOME.ARPA. NS G.ROOT-SERVERS.NET. HOME.ARPA. NS H.ROOT-SERVERS.NET. HOME.ARPA. NS I.ROOT-SERVERS.NET. HOME.ARPA. NS K.ROOT-SERVERS.NET. HOME.ARPA. NS L.ROOT-SERVERS.NET. HOME.ARPA. NS M.ROOT-SERVERS.NET. HOME.ARPA. DNAME EMPTY.AS112.ARPA. Mark > On 12 Dec 2017, at 3:17 am, Joe Abley <jabley@hopcount.ca> wrote: > > Hi Stéphane, > > On 11 Dec 2017, at 04:18, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: > >> On Mon, Dec 11, 2017 at 01:10:20AM -0800, >> Paul Vixie <paul@redbarn.org> wrote >> a message of 31 lines which said: >> >>> we have no way to assure that they hear a request that they add more >>> secondary DNS zones to such servers. so if we delegate more zones >>> that way, there will be a lot of SERVFAIL except for servers who >>> send REFUSED. either way we have to consider the matter. >> >> This problem was solved a long time ago by RFC 7535 (the new AS 112). > > Note though that the homenet document specifically requests a delegation. > > IANA are currently working through their process and trying to get AS112 operators to add the home.arpa zone, to avoid it being lame. This is apparently a good first thing to try because the idea of adding a DNAME record to the ARPA zone is scary and expected to receive push-back from root server operators. > > (I may be putting words into Kim's mouth by abbreviating the situation that way, but my point is that the IANA team are aware of the disconnect between the likely-lame delegation to AS112 vs. the approach this working group documented in 7535 and are doing their best). > > There is some related mail on the as112-ops list hosted at OARC. I think you need to subscribe to see the archive, so no deep link. > > https://lists.dns-oarc.net/mailman/listinfo/as112-ops > > > Joe > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] DNS privacy and AS 112: the case of home.… Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Paul Vixie
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Paul Vixie
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] [Ext] Re: DNS privacy and AS 112: the… Kim Davies
- Re: [DNSOP] [Ext] DNS privacy and AS 112: the cas… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Ted Lemon
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Ted Lemon
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Ted Lemon
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Stephane Bortzmeyer